Michelle McLean

VP of Marketing

This week StackRox launched the industry’s first ever State of Container Security report. To compile the findings, we surveyed more than 230 IT leaders across operations and security roles. Some responses came as no surprise – the dominance of Docker and Kubernetes, for example, or the breadth of industries using containers to accelerate application roll out. But many results did surprise us – including the extent to which security leads the list of concerns about companies’ container strategies.

We’re excited to share the news today that we’ve entered into a technology development and strategic investment agreement with In-Q-Tel (IQT). For nearly 20 years, IQT has been critical to driving cutting-edge technology into the U.S. Intelligence Community. The not-for-profit investor identifies innovative security startups and connects them with U.S. government agencies chartered with keeping the United States safe. In choosing to partner with StackRox, IQT has signaled the criticality of containers in driving application innovation today and the advanced security StackRox provides for these environments.

We’re picking up our coverage of Gartner’s security conference with a continued discussion of the Top 10 Security Projects Gartner recommends you do this year, in prioritized order. In Part I of the discussion, we highlighted Privileged Account Management, CARTA-inspired Vulnerability Management, and Active Anti Phishing. Neil continued his list by highlighting the need for protections like StackRox provides. #4 – Application Control on Server Workloads For this project, Neil emphasized the need to reduce the attack surface and limit certain functions from running on servers.

We’ve been highlighting a number of the talks at Gartner’s security conference last month, including on the value of shifting right with security, risk-prioritized vulnerability guidance, and the principles of continuous security. In this recap, we’ll profile Neil MacDonald’s presentation on the Top 10 Security Projects you should undertake this year. He led off the talk acknowledging we’re never “done” in security, and that it’s futile to try to build perfect security.

We’ve enjoyed a great partnership with Google, with our StackRox Container Security Platform enhancing the security capabilities of Google Cloud Platform. We were honored when the folks at GCP asked us to speak at the Next conference on security reference architectures. During his talk on Wednesday, July 25, our head of products, Wei Lien Dang, will highlight three customers – a Fortune 100 bank, a Fortune 50 financial services firm, and a Global 200 e-commerce company.

In recent blog posts, we’ve been highlighting some of the key takeaways from Gartner’s recent security conference. In the session on the top 10 principles of CARTA (Continuous Adaptive Risk and Trust Assessment), Neil MacDonald highlighted how organizations need to change their security practices to match today’s world. One of the more interesting observations Neil made was that organizations in general have over-invested in preventative measures and they’ve underinvested in the detection and response.

As we continue to explore some of the major themes from Gartner’s recent security conference, the theme of Continuous Security came up throughout the week. Gartner analyst Neil MacDonald spent time defining both the principles of CARTA – Continuous Adaptive Risk and Trust Assessment – and highlighting the priority security projects that adhere to those principles. Most security infrastructure, Neil argues, was designed for a world in which we knew good vs.

We recently highlighted Gartner’s advice to “shift right” with security, to avoid burdening developers from a security standpoint. Gartner analyst Dale Gardner continued that theme with this opening slide to his talk advising teams to “Fix What Matters” in the area of vulnerabilities. Dale noted that we excel at finding vulnerabilities, leading to the garbage heap analogy. “We end up with this graveyard of multiple vulnerability reports,” Dale observed. Bringing this world view into container security doesn’t make this problem any easier – indeed, now you have more “things” to secure.

Over the next week or so, I’ll be sharing some insights and observations from last week’s Gartner security summit conference. We’ll explore key conference themes around how DevOps and Security can work better together, the role of ML and automation, and the major challenges still confronting security practitioners. The infinite loop pictured here was a theme throughout many presentations. All visual models like this quickly become a little too complicated, but this vision of continuous security and a constant feedback loop between the build/deploy phase and the runtime phase really hits a chord with us here at StackRox.

We’re just a couple weeks out from our first DockerCon show. Our container deployment governance, runtime security, and feedback loop between security and DevOps have proven really valuable to our customers, and we’re looking forward to sharing these success stories on the show floor. Docker has been a great partner for us here at StackRox. Spending time with the Docker developer community talking about how they can accelerate development while deploying securely will provide great input for us.

Like at least 20,000 other of our closest friends, we call it a victory just to have survived the chaos of the RSA Conference last week. Terrible traffic. Mission Street torn up. Moscone renovations. Shaking enough hands to get sick. A too-quiet show floor. And of course, the much bemoaned “take over by marketing” of security. The show leaves plenty to complain about. And yet… StackRox had a great, great week.